Twilio Refutes Claims of Data Breach in Response to Alleged Leakage of Steam Two-Factor Authentication Codes

Twilio has issued a statement denying any breach of its systems after a threat actor claimed to possess over 89 million Steam user records, including one-time access codes. The individual, identified by the alias Machine1337 (also known as EnergyWeaponsUser), is reportedly selling access to this data for $5,000.

Upon investigation, BleepingComputer discovered that the leaked files contained approximately 3,000 records comprised of historic SMS messages featuring one-time passcodes for Steam, alongside the corresponding phone numbers of recipients.

Owned by Valve Corporation, Steam is recognized as the largest digital distribution platform for PC games, boasting over 120 million active users monthly. Valve has not publicly commented on the threat actor’s assertions.

MellowOnline1, an independent games journalist and creator of the SteamSentinels community group, suggests that the incident may involve a compromise within Twilio’s supply chain. The journalist pointed to technical anomalies in the leaked data that suggest real-time logging from Twilio’s backend systems, indicating a potential compromise of admin accounts or API key misuse.

In response to inquiries from BleepingComputer about the potential role of Twilio in the alleged Steam breach, a company representative acknowledged the situation and confirmed that they were investigating the claims. The spokesperson stated, “We take these threats very seriously and are reviewing the alleged incident. More information will be provided as it becomes available.” However, Twilio later clarified that its systems had not been compromised.

A statement from Twilio emphasized, “There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online and see no indication that this data was obtained from Twilio.”

Hints regarding the origin of the leaked data suggest it may stem from an SMS provider that intermediates the communication of one-time access codes between Twilio and Steam users. Some of the messages appear to be authorization codes related to Steam account access or phone number association.

Despite the investigation, BleepingComputer could not determine the exact source of the data or the identity of the SMS provider. Notably, some of the messages in the data set were relatively recent, with delivery dates starting from early March.

Twilio provides a two-factor authentication (2FA) service known as the Verify API, which is utilized by various applications, including Steam, for enhanced user authentication via multiple communication channels such as SMS, WhatsApp, and email.

As a precaution, Steam users are advised to enable the Steam Guard Mobile Authenticator for added security and to monitor their accounts for any unauthorized login attempts.